iOS developer Dan Nolan was appalled to learn as he marketed his first Android app that Google was providing him with the name, email address and city of every user who purchased his app.

iOS developer Dan Nolan was appalled to learn as he marketed his first Android app that Google was providing him with the name, email address and city of every user who purchased his app.

Google Play facilitates a transaction between the developer and the user; it does not position itself as the merchant. The transaction relies on Google Wallet and thus on its privacy policy. Google provides the seller with all of the information s/he would need if the user had bought a physical product rather than a digital one.

Individual apps have faced user backlash and even fines for grabbing information about a user from his or her phone without first asking permission.

“This is a massive oversight by Google. Under no circumstances should I be able to get the information of the people who are buying my apps unless they opt into it and it’s made crystal clear to them that I’m getting this information,” Nolan wrote on his blog.

Nolan received the information even when users had canceled their orders, he said. Users must also use their full name to publish app reviews on Google Play.

“With the information I have available to me through the checkout portal I could track down and harass users who left negative reviews or refunded the app purchase,” Nolan said.

Jonathan Mayer, a highly regarded Stanford graduate student in computer science who has written about privacy, thought Google could have “an FTC problem,” meaning that the Wallet privacy policy could be considered deceptive when compared to Google’s actual handling of consumer data.

To defend itself, Google will “have to lean hard on [the word] ‘necessary’ in the Wallet privacy policy,” Mayer tweeted.